12 items · Free checklist

EU Digital Operational Resilience Act (DORA) Compliance Checklist 2026

EU DORA (Regulation 2022/2554, in application January 17, 2025) applies to 20 categories of EU-regulated financial entities and their ICT service providers. It mandates a harmonized ICT risk managemen…

Auto-generate all documents Read full regulation →

Maximum penalty: 2% of total annual worldwide net turnover for financial entities; up to €5,000,000 for ICT service providers; €1,000,000/day for critical ICT providers

Complete each item below to achieve compliance. Use ComplianceIQ to generate all required documentation automatically.

Regulatory Requirements

1. ICT Risk Management Framework

Implement a documented ICT risk management framework covering all ICT assets including AI tools and services. Must include risk identification, protection measures, detection capabilities, response protocols, and recovery procedures. Board-level oversight of ICT risk is required.

2. Third-Party ICT Risk Assessment (AI Vendors)

Assess and document ICT risks from all third-party ICT service providers, including AI tool vendors (OpenAI, Microsoft Copilot, etc.). Contracts with ICT service providers must include mandatory clauses: security requirements, audit rights, exit strategies, and incident notification obligations.

3. Major ICT Incident Reporting

Establish incident management processes to detect, classify, and report major ICT-related incidents to the relevant national competent authority. Includes incidents caused by or involving AI systems. Initial report within 4 hours; full report within 72 hours.

4. Digital Operational Resilience Testing

Conduct annual resilience testing of ICT systems including AI tools (vulnerability assessments, penetration testing). Significant institutions must conduct Threat-Led Penetration Testing (TLPT) every 3 years.

Implementation Steps

5. Classify all AI-driven credit scoring, fraud detection, and trading systems

6. Apply EU AI Act high-risk classification to AI in credit scoring (Annex III)

7. Comply with DORA requirements for ICT resilience of AI-driven systems

8. Implement explainability for AI credit decisions (ECOA/Reg B adverse action notices in US)

9. Review CFPB guidance on AI in consumer credit decisions

10. Ensure Fair Credit Reporting Act (FCRA) compliance for AI that uses consumer reports

11. Conduct model risk management (SR 11-7 guidance for US banks)

12. Test AI models for disparate impact on protected classes quarterly